Re: [PATCH] Enable SSL library detection via PQsslAttribute

[Jacob Champion]

On Wed, 2022-02-23 at 14:11 -0500, Andrew Dunstan wrote:
> On 2/23/22 13:38, Jacob Champion wrote:
> > 
> > If this looks good, I'm not sure how best to test it in the regression
> > suite. I see that libpq has an installcheck recipe that compiles a test
> > executable for URI parsing; should I add a simple test alongside that?
> 
> Create a TAP tests that calls a small client?

First stab in v2-0002. Though I see that Andres is overhauling the
tests in this folder today [1], so I'll need to watch that thread. :)

Thanks!
--Jacob

[1] 
https://www.postgresql.org/message-id/20220223203031.ezrd73ohvjgfksow%40alap3.anarazel.de

From a5e5549ccec9c70a510f031a678e9f0f32a35382 Mon Sep 17 00:00:00 2001
From: Jacob Champion <pchamp...@vmware.com>
Date: Mon, 29 Nov 2021 14:36:38 -0800
Subject: [PATCH v2 1/2] Enable SSL library detection via PQsslAttribute()

Currently, libpq client code must have a connection handle before it can
query the "library" SSL attribute. This poses problems if the client
needs to know what SSL library is in use before constructing a
connection string. (For example, with the NSS proposal, a client would
have to decide whether to use the "ssldatabase" connection setting
rather than "sslcert" et al.)

Allow PQsslAttribute(NULL, "library") to return the library in use --
currently, just "OpenSSL" or NULL. The new behavior is announced with
the LIBPQ_HAS_SSL_LIBRARY_DETECTION feature macro, allowing clients to
differentiate between a libpq that was compiled without SSL support and
a libpq that's just too old to tell.
---
 src/interfaces/libpq/fe-secure-openssl.c | 6 +++---
 src/interfaces/libpq/libpq-fe.h          | 2 ++
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index f6e563a2e5..e095a0f538 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -1597,14 +1597,14 @@ PQsslAttributeNames(PGconn *conn)
 const char *
 PQsslAttribute(PGconn *conn, const char *attribute_name)
 {
+	if (strcmp(attribute_name, "library") == 0)
+		return "OpenSSL";
+
 	if (!conn)
 		return NULL;
 	if (conn->ssl == NULL)
 		return NULL;
 
-	if (strcmp(attribute_name, "library") == 0)
-		return "OpenSSL";
-
 	if (strcmp(attribute_name, "key_bits") == 0)
 	{
 		static char sslbits_str[12];
diff --git a/src/interfaces/libpq/libpq-fe.h b/src/interfaces/libpq/libpq-fe.h
index 20eb855abc..7986445f1a 100644
--- a/src/interfaces/libpq/libpq-fe.h
+++ b/src/interfaces/libpq/libpq-fe.h
@@ -36,6 +36,8 @@ extern "C"
 #define LIBPQ_HAS_PIPELINING 1
 /* Indicates presence of PQsetTraceFlags; also new PQtrace output format */
 #define LIBPQ_HAS_TRACE_FLAGS 1
+/* Indicates that PQsslAttribute(NULL, "library") is useful */
+#define LIBPQ_HAS_SSL_LIBRARY_DETECTION 1
 
 /*
  * Option flags for PQcopyResult
-- 
2.25.1


From ff31c3275fbf57e1e5edef9c2926f2bd23ec8512 Mon Sep 17 00:00:00 2001
From: Jacob Champion <pchamp...@vmware.com>
Date: Thu, 10 Feb 2022 14:41:04 -0800
Subject: [PATCH v2 2/2] WIP: add regression test for PQsslAttribute()

---
 src/interfaces/libpq/test/.gitignore   |  1 +
 src/interfaces/libpq/test/Makefile     |  5 +++-
 src/interfaces/libpq/test/testclient.c | 37 ++++++++++++++++++++++++++
 3 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100644 src/interfaces/libpq/test/testclient.c

diff --git a/src/interfaces/libpq/test/.gitignore b/src/interfaces/libpq/test/.gitignore
index 5387b3b6d9..a6be825f3c 100644
--- a/src/interfaces/libpq/test/.gitignore
+++ b/src/interfaces/libpq/test/.gitignore
@@ -1,3 +1,4 @@
+/testclient
 /uri-regress
 /regress.diff
 /regress.out
diff --git a/src/interfaces/libpq/test/Makefile b/src/interfaces/libpq/test/Makefile
index 4832fab9d2..10cf3a34df 100644
--- a/src/interfaces/libpq/test/Makefile
+++ b/src/interfaces/libpq/test/Makefile
@@ -2,6 +2,8 @@ subdir = src/interfaces/libpq/test
 top_builddir = ../../../..
 include $(top_builddir)/src/Makefile.global
 
+export with_ssl
+
 ifeq ($(PORTNAME), win32)
 LDFLAGS += -lws2_32
 endif
@@ -9,13 +11,14 @@ endif
 override CPPFLAGS := -I$(libpq_srcdir) $(CPPFLAGS)
 LDFLAGS_INTERNAL += $(libpq_pgport)
 
-PROGS = uri-regress
+PROGS = testclient uri-regress
 
 all: $(PROGS)
 
 installcheck: all
 	SRCDIR='$(top_srcdir)' SUBDIR='$(subdir)' \
 		   $(PERL) $(top_srcdir)/$(subdir)/regress.pl
+	$(prove_installcheck)
 
 clean distclean maintainer-clean:
 	rm -f $(PROGS) *.o
diff --git a/src/interfaces/libpq/test/testclient.c b/src/interfaces/libpq/test/testclient.c
new file mode 100644
index 0000000000..2c730d83fa
--- /dev/null
+++ b/src/interfaces/libpq/test/testclient.c
@@ -0,0 +1,37 @@
+/*
+ * testclient.c
+ *		A test program for the libpq public API
+ *
+ * Copyright (c) 2022, PostgreSQL Global Development Group
+ *
+ * IDENTIFICATION
+ *		src/interfaces/libpq/test/testclient.c
+ */
+
+#include "postgres_fe.h"
+
+#include "libpq-fe.h"
+
+static void
+print_ssl_library()
+{
+	const char *lib = PQsslAttribute(NULL, "library");
+
+	if (!lib)
+		fprintf(stderr, "SSL is not enabled\n");
+	else
+		printf("%s\n", lib);
+}
+
+int
+main(int argc, char *argv[])
+{
+	if ((argc > 1) && !strcmp(argv[1], "--ssl"))
+	{
+		print_ssl_library();
+		return 0;
+	}
+
+	printf("currently only --ssl is supported\n");
+	return 1;
+}
-- 
2.25.1